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~ The MAILING DATE of this communication appears on the cover sheet with the correspondence address- 
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EXAMINER'S AMENDMENT 

An examiner's amendment to the record appears below. Should the changes and/or 
additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 
1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the 
payment of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview with 
Elaine Chi, Reg. No. 61,194 on March 13, 2009. 

The application has been amended as follows: 
In the claims: 

1. (Currently Amended) A method for protecting a distributed application user, comprising: 
providing a distributed application on a server; 

generating a single security value for an authenticated user of the distributed application, 
wherein every user is authenticated prior to generating the security value and the security value 
is a pseudo-random number; 

associating the security value with a set of commands of the distributed application, 
wherein each command comprises a command that can be used in a malicious attack against 
the authenticated use r, wherein the associating step comprises associating the security value to 
a set of uniform resource locators (URLs) that correspond to a set of commands of the 
distributed application ; 

receiving one of the set of commands on the server from the authenticated use r, wherein 
the one command comprises a command to delete files of the authenticated user, and wherein 
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the receiving step comprises receiving one of the set of URLs on the server from the 
authenticated user ; 

determining if the one command is required to be associated with the security value, 
wherein the command is required to be associated with the security value if the command can 
be used in a malicious attack; 

executing the one command if the one command is not required to be associated with 
the security value; and 

if the one command is required to be associated with the security value: 

checking the one command for the security value to determine if the one 
command originated from the authenticated user; 

preventing execution of the one command if the security value is not found with 
the one command or if there is an error in the security value; and 

returning an error message to the authenticated user if the security value is not 
found with the one command or if there is an error in the security value, wherein the 
error message prompts the authenticated user for confirmation before the one command 
can be executed. 

2. (Canceled). 

3. (Canceled). 

4. (Previously Presented) The method of claim 1, wherein the security value, as a pseudo- 
random number, is generated by a random number generator. 
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5. (Original) The method of claim 1, further comprising storing the security value on the server. 

6. (Original) The method of claim 1 , further comprising: 

associating the security value with session information corresponding to the 
authenticated user; and 

communicating the session information and the security value to the authenticated user. 

7. (Original) The method of claim 1 , wherein the authenticated user operates a client that 
communicates with the server. 

8. (Canceled). 

9. (Currently Amended) The method of claim [[8]] 1, wherein the one URL is pre-constructed on 
the server. 

10. (Currently Amended) The method of claim [[8]] I, wherein the one URL is constructed on the 
client, and wherein the method further comprises: 

extracting the security value on the client; and 
appending the security value to the one URL on the client. 

1 1 . (Currently Amended) A method for protecting a distributed application user, comprising: 

providing a distributed application on a server; 

authenticating a user of the distributed application, wherein every user is authenticated; 
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generating, on the server, a single security value for the authenticated user, wherein the 
security value is a pseudo-random number; 

associating the security value with a set of uniform resource locators (URLs) 
corresponding to a set of commands of the distributed application, wherein each command 
comprises a command that can be used in a malicious attack against the authenticated user A 
and wherein the one URL is associated with a command to delete files of the authenticated 
user ; 

communicating the security value to a client operated by the authenticated user; 

receiving one of the set of URLs on the server from the client; 

determining if the one command is required to be associated with the security value, 
wherein the command is required to be associated with the security value if the command can 
be used in a malicious attack; 

executing the one command if the one command is not required to be associated with 
the security value; and 

if the one command is required to be associated with the security value: 

checking the one URL for the security value to determine if the one URL 

originated from the authenticated user; 

preventing execution of the command corresponding to the one URL if the 

security value is not found with one URL or if there is an error in the security value; and 
returning an error message to the authenticated user if the security value is not 

found with the one URL or if there is an error in the security value, wherein the error 

message prompts the authenticated user for confirmation before the one URL can be 

executed. 
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12. (Canceled). 



13. (Original) The method of claim 1 1 , further comprising: 

determining session information for the authenticated user; and 

associating the security value with the session information, wherein the communicating 
step comprises sending the session information and the security value to a client operated by 
the user. 

14. (Original) The method of claim 11, wherein the associating step comprises appending the 
security value to a set of URLs corresponding to a set of commands of the distributed 
application. 

15. (Original) The method of claim 11, wherein the one URL is pre-constructed on the server, 
and wherein client receives the one URL and the associated security value from the server. 

16. (Original) The method of claim 11, wherein the one URL is constructed on the client, and 
wherein the associating step comprises; 

extracting the security value on the client; and 

appending the security value to the one URL. 

17. (Original) The method of claim 1 1 , further comprising storing the security value on the 
server, prior to communicating the security value to the client. 
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18. (Currently Amended) A system for protecting a distributed application user, comprising: 
a computer device having a processor and memory including: 

a security value system for generating a single security value for an authenticated user 
of a distributed application provided on a server, wherein every user is authenticated prior to 
generating the security value and the security value is a pseudo-random number; 

an association system for associating the security value with a set of commands of the 
distributed application, wherein each command comprises a command that can be used in a 
malicious attack against the authenticated use r, wherein the association system associates the 
security value to a set of uniform resource locators (URLs) that correspond to a set of 
commands of the distributed application : and 

a command checking system for: 

determining if the one command is required to be associated with the security value and 
executing the one command if the one command is not required to be associated with the 
security value, wherein the command is required to be associated with the security value if the 
command can be used in a malicious attack , and wherein the one command comprises a 
command to delete files of the authenticated user ; and 

if the one command is required to be associated with the security value: 

checking one of the set of commands received on the server from the 

authenticated user for the security value to determine if the one command originated 

from the authenticated use r by checking one of the set of URLs received on the server 

from the authenticated user for the security value , 

preventing execution of the one command if the security value is not found with 

the one command or if there is an error in the security value, and 



Application/Control Number: 10/630,283 Page 8 

Art Unit: 2435 

returning an error message to the authenticated user if the security value is not 
found with the one command or if there is an error in the security value, wherein the 
error message prompts the authenticated user for confirmation before the one command 
can be executed. 

19. (Canceled). 

20. (Original) The system of claim 18, further comprising an authentication system for 
authenticating a user of the distributed application. 

21 . (Previously Presented) The system of claim 1 8, wherein the security value, as a pseudo- 
random number, is generated by a random number generator. 

22. (Original) The system of claim 18, wherein the security value is stored on the server. 

23. (Original) The system of claim 18, wherein the security value is associated with session 
information corresponding to the authenticated user, and wherein the session information and 
the associated security value are communicated to the authenticated user. 

24. (Original) The system of claim 18, wherein the command checking system comprises a filter 
servlet. 

25. (Original) The system of claim 18, wherein the authenticated user operates a client that 
communicates with the server. 
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26. (Canceled). 

27. (Currently Amended) The system of claim [[26]]_18, wherein the one URL is pre-constructed 
on the server. 

28. (Currently Amended) The system of claim [[26]]_18, wherein the one URL is constructed on 
the client, and wherein the client comprises a command system for 

extracting the security value on the client, and for appending the security value to the one URL. 

29. (Currently Amended) A computer program product stored on a computer readable medium 
for protecting a distributed application user, which when executed, comprises: 

program code for generating a single security value for an authenticated user of a 
distributed application provided on a server, wherein every user is authenticated prior to 
generating the security value and the security value is a pseudo-random number; 

program code for associating the security value with a set of commands of the 
distributed application, wherein each command comprises a command that can be used in a 
malicious attack against the authenticated use r, wherein the program code for associating 
associates the security value to a set of uniform resource locators (URLs) that correspond to a 
set of commands of the distributed application : 

program code for determining if the one command is required to be associated with the 
security value, wherein the command is required to be associated with the 
security value if the command can be used in a malicious attack , wherein the one command 
comprises a command to delete files of the authenticated user ; 
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program code for executing the one command if the one command is not required to be 
associated with the security value; and 

if the one command is required to be associated with the security value: 

program code for checking one of the set of commands received on the server 
from the authenticated user for the security value to determine if the one command 
originated from the authenticated user by checking one of the set of URLs received on 
the server from the authenticated user for the security value , for preventing execution of 
the one command if the security value is not found with the one command or if there is 
an error in the security value, and for returning an error message to the authenticated 
user if the security value is not found with the one command or if there is an error in the 
security value, wherein the error message prompts the authenticated user for 
confirmation before the one command can be executed. 

30. (Canceled). 

31 . (Previously Presented) The computer program product of claim 29, further comprising 
program code for authenticating a user of the distributed application. 

32. (Previously Presented) The computer program product of claim 29, wherein the security 
value, as a pseudo-random number, is generated by a random number generator. 

33. (Previously Presented) The computer program product of claim 29, wherein the security 
value is stored on the server. 
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34. (Previously Presented) The computer program product of claim 29, wherein the security 
value is associated with session information corresponding to the authenticated user, and 
wherein the session information and the associated security value are communicated to the 
authenticated user. 

35. (Previously Presented) The computer program product of claim 29, wherein the program 
code for checking comprises a filter servlet. 

36. (Previously Presented) The computer program product of claim 29, wherein the 
authenticated user operates a client that communicates with the server. 

37. (Canceled). 

38. (Currently Amended) The computer program product of claim [[3711 29, wherein the one 
URL is pre-constructed on the server. 

39. (Currently Amended) The computer program product of claim [[3711 29, wherein the one 
URL is constructed on the client, and wherein the client comprises a program code for 
extracting the security value on the client, and for appending the security value to the one URL. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to BEEMNET W. DADA whose telephone number is (571 )272-3847. The 
examiner can normally be reached on Monday - Friday (9:00 am - 5:30 pm). 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Y. Vu can be reached on (571 ) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Beemnet W Dada/ 
Examiner, Art Unit 2435 
March 14, 2009 



